Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXhnaDYtODV4aC00Nzlw
Regular Expression Denial of Service in npm-user-validate
npm-user-validate
before version 1.0.1
is vulnerable to a Regular Expression Denial of Service (REDos). The regex that validates user emails took exponentially longer to process long input strings beginning with @
characters.
Impact
The issue affects the email
function. If you use this function to process arbitrary user input with no character limit the application may be susceptible to Denial of Service.
Patches
The issue is patched in version 1.0.1 by improving the regular expression used and also enforcing a 254 character limit.
Workarounds
Restrict the character length to a reasonable degree before passing a value to .emal()
; Also, consider doing a more rigorous sanitizing/validation beforehand.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXhnaDYtODV4aC00Nzlw
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: over 3 years ago
Updated: over 1 year ago
Identifiers: GHSA-xgh6-85xh-479p
References:
- https://github.com/npm/npm-user-validate/security/advisories/GHSA-xgh6-85xh-479p
- https://github.com/advisories/GHSA-xgh6-85xh-479p
Blast Radius: 0.0
Affected Packages
npm:npm-user-validate
Dependent packages: 88Dependent repositories: 117,524
Downloads: 2,904,884 last month
Affected Version Ranges: <= 1.0.0
Fixed in: 1.0.1
All affected versions: 0.0.1, 0.0.2, 0.0.3, 0.0.4, 0.1.0, 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 1.0.0
All unaffected versions: 1.0.1, 2.0.0